hadoop生态的kerberos认证系列3-hbase

一、准备工作

停掉hadoop集群；
安装好kerberos认证服务；

二、hbase配置

1.修改hbase-site.xml文件

添加如下内容：

<property>
    <name>hbase.master.kerberos.principal</name>
    <value>root/_HOST@EXAMPLE.COM</value>
</property>
<property>
    <name>hbase.master.keytab.file</name>
    <value>/usr/data/kerberos/keytab/root.keytab</value>
</property>
<property>
    <name>hbase.regionserver.kerberos.principal</name>
    <value>root/_HOST@EXAMPLE.COM</value>
</property>
<property>
    <name>hbase.regionserver.keytab.file</name>
    <value>/usr/data/kerberos/keytab/root.keytab</value>
</property>
<property>
    <name>hbase.security.authentication</name>
    <value>kerberos</value>
</property>
<property>
    <name>hbase.rpc.engine</name>
    <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
</property>
<property>
    <name>hbase.coprocessor.region.classes</name>
    <value>org.apache.hadoop.hbase.security.token.TokenProvider,
    org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,
    org.apache.hadoop.hbase.security.access.AccessController</value>
</property>

2.修改habse-env.sh文件

添加或修改如下:

export HBASE_OPTS="$HBASE_OPTS -Djava.security.auth.login.config=/usr/local/hbase/hbase-1.4.13/conf/hbase-jaas.conf"

##另外若是原先安装hbase时，未配置的话,请加上以下内容（尤其是后面的指向hadoop路径，若未指向hadoop，则会在启动时报错）：
export HBASE_MANAGES_ZK=false
export HBASE_CLASSPATH=$HBASE_CLASSPATH:/usr/local/hbase/hbase-1.4.13/conf:/usr/local/hbase/hbase-1.4.13/lib:/usr/local/hadoop/hadoop-2.7.4/etc/hadoop

3.新增hbase-jaas.conf文件

新增/usr/local/hbase/hbase-1.4.13/conf/hbase-jaas.conf文件，其中就是在2.修改habse-env.sh文件中所指向的文件。
内容如下：

Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/usr/data/kerberos/keytab/root.keytab"
  storeKey=true
  useTicketCache=false
  principal="hadoop/node@EXAMPLE.COM";
};

4.修改zoo.cfg

另外在zookeeper的配置文件zoo.cfg中加入：

skipACL=yes

按参考文章的说法，如果没有此配置,会出现InvalidACL for /hbase的错误，导致HMaster无法正常启动。
但实际上好像没啥用，此处用处待定。

三、验证

1.启动

start-hbase.sh
要能正常启动，且各节点不掉，不会启动了过一会就掉，出现这种情况就检查下配置

[root@node hadoop]# jps
94561 HMaster #HMaster、hbase
2830 NameNode #nn、hdfs
82193 RunJar
92176 RunJar
94711 HRegionServer #HRegionServer、hbase
3352 ResourceManager #yarn
34104 QuorumPeerMain #zk
4314 RunJar
3228 Secur #即代表了datanode、hdfs
2973 SecondaryNameNode #snn、hdfs
3583 NodeManager #yarn
6879 JobHistoryServer #HistoryServer、yarn
106974 Jps

2.验证

进hbase的操作行：hbase shell
若是没有进行kerberos登录，则会出现报错或者提示未连接；

[root@node conf]# hbase shell
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/local/hbase/hbase-1.4.13/lib/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/local/hadoop/hadoop-2.7.4/share/hadoop/common/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
HBase Shell
Use "help" to get list of supported commands.
Use "exit" to quit this interactive shell.
Version 1.4.13, r38bf65a22b7e9320f07aeb27677e4533b9a77ef4, Sun Feb 23 02:06:36 PST 2020

hbase(main):001:0> list
TABLE                                                                                                                                                            
2020-12-25 13:49:51,889 FATAL [main] ipc.BlockingRpcConnection: SASL authentication failed. The most likely cause is missing or invalid credentials. Consider 'kinit'.
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
	at org.apache.hadoop.hbase.security.AbstractHBaseSaslRpcClient.getInitialResponse(AbstractHBaseSaslRpcClient.java:130)
	at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:81)
	at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.setupSaslConnection(BlockingRpcConnection.java:353)
	at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.access$600(BlockingRpcConnection.java:85)
	at org.apache.hadoop.hbase.ipc.BlockingRpcConnection$2.run(BlockingRpcConnection.java:455)
	at org.apache.hadoop.hbase.ipc.BlockingRpcConnection$2.run(BlockingRpcConnection.java:452)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1746)
	at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.setupIOstreams(BlockingRpcConnection.java:452)
	at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.writeRequest(BlockingRpcConnection.java:540)
	at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.tracedWriteRequest(BlockingRpcConnection.java:520)
	at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.access$200(BlockingRpcConnection.java:85)
	at org.apache.hadoop.hbase.ipc.BlockingRpcConnection$4.run(BlockingRpcConnection.java:724)
	at org.apache.hadoop.hbase.ipc.HBaseRpcControllerImpl.notifyOnCancel(HBaseRpcControllerImpl.java:240)
	at org.apache.hadoop.hbase.ipc.BlockingRpcConnection.sendRequest(BlockingRpcConnection.java:699)
.....
省略
.....

若是登录了，才能进行正常操作，登录后重新进入hbase shell：

[root@node conf]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node conf]# kinit -kt /usr/data/kerberos/keytab/root.keytab root/node
[root@node conf]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/node@EXAMPLE.COM

Valid starting       Expires              Service principal
2020-12-25T13:51:26  2020-12-26T13:51:26  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 2021-01-01T13:51:26
[root@node conf]# hbase shell
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/local/hbase/hbase-1.4.13/lib/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/local/hadoop/hadoop-2.7.4/share/hadoop/common/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
HBase Shell
Use "help" to get list of supported commands.
Use "exit" to quit this interactive shell.
Version 1.4.13, r38bf65a22b7e9320f07aeb27677e4533b9a77ef4, Sun Feb 23 02:06:36 PST 2020

hbase(main):001:0> list
TABLE                                                                                                                                                            
KYLIN_L8OCJV6QTO                                                                                                                                                 
KYLIN_OURXTOKFLR                                                                                                                                                 
KYLIN_UF00E2GOT9                                                                                                                                                 
ext_capacity_stats_live_exception                                                                                                                                
kylin_metadata                                                                                                                                                   
5 row(s) in 0.2040 seconds

=> ["KYLIN_L8OCJV6QTO", "KYLIN_OURXTOKFLR", "KYLIN_UF00E2GOT9", "ext_capacity_stats_live_exception", "kylin_metadata"]
hbase(main):002:0>